Should hacked firms be cybercops?

Suppose a thief breaks into your house and steals your belongings. To cover his tracks, the thief secretly hides your stuff in a neighbor’s garage. What do you do next—go into the neighbor’s garage to retrieve your property, or call the police and hope they respond promptly?

A much more complex version of that scenario is playing out in the cybersecurity field with no clear resolution in sight.

The problem was discussed at the program “Active Cyber Defense: Emerging Legal Dialogue,” presented by the ABA Standing Committee on Law and National Security.

The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down intruders who break into their computer systems and to seek to find where their stolen data is hidden. The dilemma, said Steven Chabinsky, is that the federal government has the statutory authority to carry out such investigations but lacks the resources and capabilities, while the private sector has the capability but lacks clear legal authority.

“The private sector has learned it has to explore the legality of doing it on its own,” he said, because there hasn’t been sufficient dialogue between private companies and the government on how to proceed. “This discussion has to emerge,” said Chabinsky, who was a deputy assistant director at the FBI before joining the cybersecurity firm CrowdStrike.

A key issue, panelist Stewart Baker said, is that the U.S. Computer Fraud and Abuse Act raises questions about whether a private concern may go out of its own network and break into outside systems to find its stolen data. A related issue, he said, is whether a company may put information into its system for the sole purpose of tracking where it goes in case of a breach. And under many foreign laws, self-defense actions by private companies amount to espionage. Baker is a partner at Steptoe & Johnson in Washington, D.C., and a former general counsel for the National Security Agency.

Meanwhile, Baker and Chabinsky said, efforts to protect data from breaches are simply not working. “We’ve never had more secure operating systems, and at the same time, we’ve never been less secure,” Baker said. Toward the end of the program, Chabinsky noted that “well over 1,000 companies probably have been intruded upon in the hour and 10 minutes we’ve been sitting here talking.”